On Wed, Apr 25, 2012 at 3:15 PM, dan (ddp) <[email protected]> wrote: > On Wed, Apr 25, 2012 at 9:05 AM, jfranz <[email protected]> wrote: >> Hi guys, >> >> I'm pretty new to OSSEC and running in problems getting a centralized >> configuration done. >> >> I'm running OSSEC-Server on a CentOS 6.2 box and OSSEC-Agent on a >> Ubuntu 12.04 box. Everything is working fine so far (only plain >> installation and connecting the agent to the server). >> >> Here comes the trouble: I changed the host-deny and firewall-drop >> commands inside the ossec.conf of the server to location "all". As I >> understand it, this means that i.e. if somebody is bruteforcing the >> sshd running on the agent, the host-deny and firewall-drop active >> responses should trigger both on the agent and the server. I my case, >> this doesn't work. I can see the sshd bruteforce attack inside the >> logs on the server, so the connection between agent and server works, >> but only the agent which was under attack blocked the ip via iptables >> and host.deny, and not the server. >> > > Unfortunately I think this is the way it works. "all" actually means > "all agents," not "all systems." I think this might be worth looking > into...
Ok. That makes sense. Will test that by adding another machine/agent to my testing setup. > >> As I understand it, the agent uses the ossec.conf and *_rules.xml >> files from the server?!?! >> > > No. Each agent uses its own ossec.conf, and possibly the agent.conf > from the server. > > The rules and decoders are only handled on the server. The agent > passes a log message to the server, which then compares it to the > decoders/rules. > Ok. Got that. But how does an agent know when to use an active response, based on a rule that is parsed on the server after the agent send it's log? >> I my case, the server config file has the following md5sum: >> 1dd21647768bd23ac2a83e62adbbc0ca ossec.conf >> >> The agent is using a different one: >> >> OSSEC HIDS agent_control. Agent information: >> Agent ID: 001 >> Agent Name: Client1 >> IP address: 10.17.0.15 >> Status: Active >> >> Operating system: Linux testing 3.2.0-22-generic-pae #35-Ubuntu SMP Tu.. >> Client version: OSSEC HIDS v2.6 / 77843f5c451af0a872a5e4733655aa1e >> Last keep alive: Wed Apr 25 14:55:16 2012 >> >> Syscheck last started at: Wed Apr 25 14:30:15 2012 >> Rootcheck last started at: Wed Apr 25 14:40:43 2012 >> >> This one is located under ../shared/agent.conf on the server: >> 77843f5c451af0a872a5e4733655aa1e shared/agent.conf >> >> The OSSEC documentation says that I can push a centralized >> configuration from the server to the agent, by creating the file >> ../shared/agent.conf. In my case, this file already exists and >> contains a perl script. >> > > That's wrong. I don't know why there would be a perl script there. > Something went haywire in your installation. > Yepp. Did an clean install on the server and files look fine now. No more perl script in there. Btw: Thx for your help ;) >> I'm stuck. So, how can I use a centralized set of rules that I created >> in the local_rules.xml on the server and push it to the agent and how >> can an alarm on of the agents can be triggered on all agents >> connecting to the same server? >> >> I would really appreciate if anybody could help me out with this, >> because OSSEC seems to be really nice! >> >> Best regards, >> _joern_
